github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-09 04:25:18 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Cannot disable pre-registered OAuth2 applications #12447

New Issue
Closed
opened 2025-11-02 10:10:06 -06:00 by GiteaMirror · 1 comment
GiteaMirror commented 2025-11-02 10:10:06 -06:00
Owner
Copy Link

Originally created by @Adrian-Hirt on GitHub (Feb 7, 2024).

Description

In #26291, pre-registered OAuth applications were added to gitea.

In my case, we would like to disable them (or rather OAuth2 capabilities in general), but this does not seem to be possible.

A) If I set DEFAULT_APPLICATIONS to an empty value, it will be ignored and both of the pre-configured applications will be enabled. Setting the config value to any other option will raise an error on startup, as there is no pre-configured application with that name. Am I missing something here? Setting this setting to an empty value probably should disable all the pre-configured applications, right?

B) In addition, setting ENABLE = false in the [oauth2] section in app.ini has no effect. It's not possible to view OAuth2 applications, but it's still possible to use the pre-defined applications to log-in, e.g. when using git-credential-manager. I'd expect the OAuth2 login endpoint to be completely disabled if the setting ENABLE is set to false, i.e. if this is set to false, logging-in with OAuth2 should be completely disabled, also for the predefined applications.

How to reproduce:

For A):

  • Set DEFAULT_APPLICATIONS = in [oauth2] section in app.ini
  • Set ENABLE = true in [oauth2] section in app.ini
  • Start webserver
  • Navigate to Admin Settings > Applications

Expected behaviour:

  • No pre-configured applications are listed

Observed behaviour:

  • Both git-credential-manager as well as git-credential-oauth applications are present

For B):

  • Set ENABLE = false in [oauth2] section in app.ini
  • Start webserver
  • Start an OAuth request from git-credential-manager, e.g. by cloning a repo via HTTPS

Expected behaviour:

  • The Authorization request should be rejected by gitea, as OAuth2 is disabled

Observed behaviour:

  • The Authorization request works equal to the case where ENABLE is set to true

Please let me know if you need any other info. I greatly appreciate the work done here, and I can just block these requests on the reverse proxy, but I still wanted to bring this issue to attention. Have a nice day!

Gitea Version

v1.21.5

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/Adrian-Hirt/0f1c5a26892018ac90a04f6aa1f5a4c0

Screenshots

No response

Git Version

No response

Operating System

Fedora 37

How are you running Gitea?

I'm running the binary from the download page.

Database

MySQL/MariaDB

Originally created by @Adrian-Hirt on GitHub (Feb 7, 2024). ### Description In #26291, pre-registered OAuth applications were added to gitea. In my case, we would like to disable them (or rather OAuth2 capabilities in general), but this does not seem to be possible. A) If I set `DEFAULT_APPLICATIONS` to an empty value, it will be ignored and both of the pre-configured applications will be enabled. Setting the config value to any other option will raise an error on startup, as there is no pre-configured application with that name. Am I missing something here? Setting this setting to an empty value probably should disable all the pre-configured applications, right? B) In addition, setting `ENABLE = false` in the `[oauth2]` section in app.ini has no effect. It's not possible to view OAuth2 applications, but it's still possible to use the pre-defined applications to log-in, e.g. when using `git-credential-manager`. I'd expect the OAuth2 login endpoint to be completely disabled if the setting `ENABLE` is set to `false`, i.e. if this is set to `false`, logging-in with OAuth2 should be completely disabled, also for the predefined applications. --- How to reproduce: For A): * Set `DEFAULT_APPLICATIONS = ` in `[oauth2]` section in `app.ini` * Set `ENABLE = true` in `[oauth2]` section in `app.ini` * Start webserver * Navigate to Admin Settings > Applications Expected behaviour: * No pre-configured applications are listed Observed behaviour: * Both `git-credential-manager` as well as `git-credential-oauth` applications are present For B): * Set `ENABLE = false` in `[oauth2]` section in `app.ini` * Start webserver * Start an OAuth request from `git-credential-manager`, e.g. by cloning a repo via HTTPS Expected behaviour: * The Authorization request should be rejected by gitea, as OAuth2 is disabled Observed behaviour: * The Authorization request works equal to the case where `ENABLE` is set to `true` --- Please let me know if you need any other info. I greatly appreciate the work done here, and I can just block these requests on the reverse proxy, but I still wanted to bring this issue to attention. Have a nice day! ### Gitea Version v1.21.5 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist https://gist.github.com/Adrian-Hirt/0f1c5a26892018ac90a04f6aa1f5a4c0 ### Screenshots _No response_ ### Git Version _No response_ ### Operating System Fedora 37 ### How are you running Gitea? I'm running the binary from the download page. ### Database MySQL/MariaDB
GiteaMirror added the type/proposal label 2025-11-02 10:10:06 -06:00
GiteaMirror commented 2025-11-02 10:10:07 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Apr 6, 2024):

-> Fix oauth2 builtin application logic #30304

@wxiaoguang commented on GitHub (Apr 6, 2024): -> Fix oauth2 builtin application logic #30304
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/proposal
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#12447
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?